T1611 Escape to Host Mappings

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1611 Escape to Host
AC-3 Access Enforcement Protects T1611 Escape to Host
AC-4 Information Flow Enforcement Protects T1611 Escape to Host
AC-5 Separation of Duties Protects T1611 Escape to Host
AC-6 Least Privilege Protects T1611 Escape to Host
CM-5 Access Restrictions for Change Protects T1611 Escape to Host
CM-6 Configuration Settings Protects T1611 Escape to Host
CM-7 Least Functionality Protects T1611 Escape to Host
IA-2 Identification and Authentication (organizational Users) Protects T1611 Escape to Host
SC-18 Mobile Code Protects T1611 Escape to Host
SC-2 Separation of System and User Functionality Protects T1611 Escape to Host
SC-3 Security Function Isolation Protects T1611 Escape to Host
SC-34 Non-modifiable Executable Programs Protects T1611 Escape to Host
SC-39 Process Isolation Protects T1611 Escape to Host
SC-7 Boundary Protection Protects T1611 Escape to Host
SI-16 Memory Protection Protects T1611 Escape to Host
SI-2 Flaw Remediation Protects T1611 Escape to Host
SI-3 Malicious Code Protection Protects T1611 Escape to Host
SI-4 System Monitoring Protects T1611 Escape to Host
SI-7 Software, Firmware, and Information Integrity Protects T1611 Escape to Host